Meta

Who will pay the cost for Digital Security? On the regulation of Uber and large digital companies

In 2006, when I came to Calgary, Identity Thief was something that we all heard about. While, I did not have RFID sleeves for my credit cards yet, I was able to take precautions. When I took a cab in 2006 from the Airport to Downtown Calgary, I could take steps to protect myself by using cash or travellers’ cheques. I could also monitor the cabbie while they inserted the debit or credit card into the manual imprinter or, the fancy new, portal digital terminal.

However, to be truthful, most people didn’t take those steps because the system was pretty secure. For, the taxi cab system in most cities had a hundred years of experience. As a result, the stakeholders found ways to share the cost of security. Cab companies would pick up some of the cost through the licensing system and pay to have the right to access debit or credit card networks. Banks and debit &/or credit card networks would recoup some of their costs through the fees they charged. While, in paying for the service, each cab customer would also pick up a marginal portion of the cost of securing the cab network and customers from fraudulent, malevolent or illegal activity. This system had come into existence over the years, if not decades, because one stakeholder or another had been wronged or cheated by individuals or organizations. It was slightly more expensive and less efficient then it would otherwise have been; but we, as a society, wanted to ensure that the system worked and was secure.

However, with the emergence of digital firms, one thing has become clear: no one has been asked to pay for the cost of providing the security for this new digital and on-line world. Take Uber as an example. Uber argued that their service was better because it was cheaper and didn’t require all of those ridiculous rules that the taxi cab industry and their regulators wanted. Uber said that the existing system was antiqued and no long necessary. Consequently, they would use technology to bring down costs and the sharing economy meant that humanities better angels would emerge.

Yet, Uber’s data breach has shown that our better angels have not come to the fore. Uber has not only lost the data of their customers, they have done a number of things to resist the imposition of jurisdictional specific business requirements such as a minimum level of insurance, the creation of an inspection system, local checks or review of driver’s abstract/criminal history or labour laws arguing that they were too onerous or costly. However, it will be argued here that the only cost reductions created by Uber were ones that shifted the cost of a traditional cab service onto society. Take Toronto as an example. In 2012, Paul Moloney, reporting for the Toronto Star, noted that most cabs in Toronto travel:

“100,000 kilometres per year, some as many as 250,000 kilometres annually. Most cabs cannot operate longer than five years.”(Toronto taxis up for review: a look at the issues, By PAUL MOLONEY, Toronto Star, Sept. 24, 2012)

Now compare that to what Tracey Cook (head of the licensing department in Toronto) was quoted as saying:

“Ms. Cook said Uber was co-operating with the city and already following the new rules, including one that forbids cars older than seven years from being used as Uber cars or taxis. That change alone has pulled 30 per cent of Uber’s cars in Toronto off the road, she said.” (Toronto announces new Uber licence, background checks for drivers, Globe and Mail, by Jeff Gray & Oliver Moore, Published Aug. 16, 2016, Updated Mar. 24, 2017

Or put differently, Uber seems to be willing to use cars which were older, and likely less safe, than Toronto Cabs, simply to make money. Consequently, like many other corporations who have experienced physical and digital failures, like data breaches; it will be argued here that problems in one side of their business are symptoms of larger problems. After all, if simple safety regulations can cause a drop of 30% of Uber’s capacity in one city, it could be easily argued that they have not always taken the responsibility to protect their stakeholders seriously.

With this type of track record, it is not surprising to learned that in 2016, the personal data and financial information of the 57 million passengers and drivers who partner with Uber was stolen. However, it should bother us that Uber decided to cover up the problem; and the cover up was not small. While we are unsure how many Canadians were affected in the heist, we do know that this breach has been multijurisdictional. 2.7 million people in the UK were affected by the 2016 security breach that compromised customers’ information, including names, email addresses and mobile phone numbers. We also know that there have been class-action lawsuits that have been filed in California Washington State, BC and Alberta against the company.

As noted previously, this wide-scale data theft was not a problem in 2006 when taxi cab companies were locally based. It was not a problem because a hundred years of experience protected us from it and a system was devised to protect citizens. Accordingly, this multijurisdictional problem begs one question: who is going to paying for or who is going to provide and pay for digital security when we are either on-line or off-line?

As has been shown, firms like Uber or Equifax, are not paying sufficient attention to this issue. The Uber breach has also shown us the problem with the existing regulatory scheme. In some countries, like Australia, the Philippines, US, UK and Italy, privacy regulators have launched investigations with varying results.

Uber Canada’s spokesperson Susie Heath might be said to be giving a response the privacy regulators in many countries have heard. In a published statement, Ms. Heath said that “the privacy of our riders and drivers is of paramount importance for Uber”.

Increasingly, it is clear that the existing light regulatory touch is inadequate. Where the market fails, governments have to come to the fore; and, government action is badly needed right now. For, what else can anyone say when, in the last 12 months, the Uber lost the data of 57 million people, while due to Equifax’s breach, 143,000,000 people across North America lost control of their financial data.

Without mentioning the other issues Uber is facing right now, let’s agree on one thing: from a digital security point of view, Uber is an example of a flawed company. It would be the contention of this paper, that Uber is not the only flawed company in our economy, as many data breaches have come to the fore recently. It is for this reason that we need to take a serious look at regulating them. However, the question remains how. It will be argued here that we can start by internalizing the externality that they created.

An externality is an economic term which simply means that an economic model is not paying the cost that their behaviour is incurring. Think of pollution. Often times, a factory or a plant will release pollution into the atmosphere. That release of pollution is an externality. For, another company, country or person will eventually have to pay the cost of that release. That cost could be paid in health or environmental consequences. As an example, it could lead to unnecessary ash or lose of the usefulness of neighbouring land. Either way, there is a cost.

To prevent externalities from being a problem, governments, regulators or courts often force companies to deal with the problems that they have cause. In Alberta, as an example, private industry has had to deal with carbon levies and/or taxes to ensure that they are going to reduce their carbon emissions. Similar policy tools could be used to ensure that digital firms are not creating externalities within Canada. This approach is simple and effective and might explain some of the savings that digital firms have provided.

If you still question this concept, let’s find some proof. When I looked up the estimate of the cost of taking a cab – according to taxifarefinder.com – from my place to the Calgary International Airport, I was told that the cost would likely be $51.48. If the traffic was light, it could be as cheap as $46.98; while if the opposite happened, it could be as much as $71.15. If I wanted to have the fastest route, it would be between $59.23 and $74.99 with the mean being $62.16. Given that I have taken this trip a couple of times, I tend to agree with the estimates.

On the other hand, if I were to take a ride on UberX it would only cost between $38 and $49. If I were to upgrade, the cost would be between $65-85 for UberXL and $80-104 for UberSelect. It would be hard for me to argue that the cost savings are not evident. Furthermore, a passenger could get a variety of ride solutions which are likely cheaper than the existing market place.

However, we can now also acknowledge that the $14.48 (ie $51.48 – $38) of price savings that comes with using an Uber car leads to some hidden costs. Or put differently, there is the cost of losing control of one’s financial data. This can be quantified. As an example, if everyone who took an Uber ride also monitored their credit as a way of reducing the risk and cost of identity theft, our society would be paying for more than just the use cabs to get from “A” to “B”. TransUnion Credit Monitoring, as an example, is $19.95 per month. Accordingly, using the previous example of my trip from my home to Calgary International airport, an Uber user would have to spend $4 more a month. That cost increase comes before the thousands of dollars’ worth of losses that might come with any nefarious acts which might result from the loss of your digital identity.

So when we think back to Uber’s entry into Canada, we ignored the potential savings embedded in our existing tax cab regulatory framework. Instead of looking at our existing tax cab regulatory framework as a benefit, we said that because our existing taxi cab regulatory model is based on a hundred year old scheme that it was no longer modern. We also came up with the notion that Uber was just a digital company that made an application and not responsible for the social costs of change. This, as advocates said, was the way of the future and that this business model would reduce costs and provide greater efficiency. However, now, I hope that we can see that this model was one that just created a large externality and requires a solution for the benefit of our society.

With all this being said, let me be clear: I am not arguing that Uber or other digital firms should cease their operation in Canada. These firms have provided some benefit and might provide more in the future. However, we do need to apply some regulation to digital firms who service Canada but who physically reside outside of Canada.

So what do I suggest? Actually, I have two suggestions. Firstly, Governments need to evolve to fill the gap. Governments in Canada – municipal, provincial and federal – should not be afraid of this coming world. They should embrace it. For, more companies will come. They may come from the Silicon Valley or New York or Beijing or Paris or London, but they will come. Consequently, we need to find was to ensure that these global digital giant will comply with Canadian Law.

Now, let’s be honest, Canada has done this for years. Back in the 2000s’, Sirius and XM came before the CRTC to get a licence. They could have ignored the CRTC, but they didn’t. They came to deal with the CRTC as companies like NBC, ABC and CBS did. The actions of those companies set an example for companies to follow like Netflix and Google since. For as Canada is a country ruled by laws, digital corporations know that they are ultimately accountable to law. Or put differently, if Netflix, Google, Uber or AirBnB try to sidestep the law, regulators have the right to exercise their legal options. In Montreal’s case, this meant seizing the cars of Uber drivers who didn’t comply with the laws of Quebec.

However, those regulators could go further. For example, while large digital companies could provide services, if they don’t comply with Canadian Laws, regulators could seek Court Orders to ensure that the fees paid don’t leave Canada. Such action, while drastic, is possible. In many ways, it mirrors the actions that a variety of countries took against Waterloo based Blackberry in 1990s to ensure its compliance with those countries’ local laws. Further, given the high regulated nature of Canadian Financial companies – everything from payday lenders & money transferors to banks and insurers – one could say that the concerted action of regulators would get companies attention. The only question is will the governments of Canada – our federal, provincial and municipal governments and their agencies – have the will to enforce them. To date, this has largely not been the case.

Secondly, Digital Corporations need to be prepared to accept responsibility for the action or lack or action with their firms. Take the Ford Pinto, as an example. When North American Car companies were unwilling and unable to improve quality in the 1970’s and 1980’s, society desired change. However, they were yet to have an example or symbol of that change. When the Ford Pinto came to the market and had problems with its exploding gas tanks, society understood that car companies were abdicating their responsibility. It was then that society and government acted to deal with the poor customer protections, problematic tort and product liability laws and poor corporate citizenship.

Today, the same action should be taken with large digital firms. As, they have largely abducted the responsibility of self-regulating their behaviour, we as a society must begin to impose rules. Now, for those who feel that government doesn’t have the knowledge to do this, I simply disagree. We have tools from more than 100 years of management of oil companies, banks and insurance firms; and many of those same measures have some relevance here. For, the risk of the loss of data is similar to the risk of an oil spill or a financial company’s bankruptcy. They are systemic losses which we can calculate.

For example, in the case of Uber or Equifax, the loss would be identity theft. This would require a sort of policing and monitoring of accounts of those who are affected and figuring out a way of detecting new accounts which are dubious or fraudulent. Such an agency could look like Alberta’s Orphan Wells Association, CDIC, CIPF or Assuris.

Digital Companies would be charged a fee. That fee would ensure that there are resources available when an issue results. If all goes well, the fund will grow and there will be sufficient funds to clean up problems. However, if the breach is larger than what the fund could deal with, a lump sum would be paid forward – either through an insurance policy, a bond or a payment from the company – to ensure that the mess is cleaned up.

As noted previously, compliance with such a fund is possible because digital companies provide real world goods. As Montreal has demonstrated with Uber, Governments can make companies – regardless of size – comply if they have the will. If a company like Amazon falls out of compliance, as an example, customer focused actions could result. This could mean that special fees could be assessed on their packages or those same packages could be seized at the border. Those types of actions would clearly grab the attention of a company in question to ensure compliance.

Or, if we found that customer related action was inappropriate, one could simply focus on the financial side. A court could simple put for an order to seize or freeze the funds of Amazon – in this example – until such time as they complied.

All big companies – from Facebook to Google, from Twitter to SnapChat, from Whisper to Tinder – survive because of their ability to change real world outcomes and their revenue sources. Without being able to deliver goods, companies like Spud.ca, Amazon and Apple would find their customer base would shrink. Without their revenues from membership fees, advertisers or partners, firms like Facebook, Google and Twitter would also have trouble.

For over a decade, we have lived without having regulation over the internet. Snapchat was hacked on December 31, 2013. AdultFriendfinder and Ashley Madison were hacked, revealing the information of 3.5 million and 32 million people, respectively. This year, Equifax and Uber were not alone; Whole Foods and Deloitte were also hacked. We need to get a hold of this and it starts with regulating digital companies. Some might say that this would hurt our economy. However, our society already has to deal with the cost of identity theft, false transactions and other criminal behaviour and these problems will only get worse. If we agree that the purpose of the State is to improve the lot of life for the majority of us, without harming the Other, than we need to have a regulatory framework to guarantee the benefits for all. Over the last two hundred years, we have seen the benefits of providing these guarantees. So it only makes sense that we should continue and provide a formal framework for large multinational digital firms.